On Monday, March 13, 2017 at 5:07:42 AM UTC-4, Jean-Philippe Ouellet wrote: > On Mon, Mar 13, 2017 at 5:04 AM, Jean-Philippe Ouellet <[email protected]> wrote: > > On Mon, Mar 13, 2017 at 2:29 AM, InfusingPrivacy > > <[email protected]> wrote: > >> 1. Is there a guide on how we can harden the netvm? How can I view what > >> default services, files, ports/remote access are enabled on the default > >> netvm and how make my hardening customizations to the netvm permanent? I > >> mainly want to make sure the netvm has no remote filesystem access from > >> the internet (i.e. ssh, ftp, etc); the only 'access' should be from dom0. > > > > You should do your firewalling, etc. in sys-firewall rather than > > sys-net. This is because sys-net has a higher chance of being > > compromised via vulnerable wireless card drivers or malicious wireless > > card firmware, and you would not want that compromised sys-net to be > > able to turn off your firewall! ;) This is the reason sys-firewall > > exists as a separate domain behind it. > > Likewise, when you are running "high-risk" (complex) protocol parsers > (like tcpdump, wireshark, etc.), it is preferable to do so in sys-net > (or a cloned sys-net based on a template with such tools installed) > rather than sys-firewall, because it is desirable to protect > sys-firewall from such attack vectors.
Ok; thanks for all of the information! It was very helpful! -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/2d35829e-ea9b-4009-9041-2896c110ac87%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
